July 2007 Critical Patch Update Released

Today, Oracle released the July 2007 Critical Patch Update (CPUJul2007).This Critical Patch Update (CPU) addresses a total of 45 vulnerabilities affecting Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise.Out of these 45 vulnerabilities, thirteen are �remotely exploitable without authentication�.This means that an attacker could exploit these vulnerabilities remotely without having to authenticate directly to the targeted system.Seventeen out of these 45 vulnerabilities affect Oracle Database Server, and two of them are �remotely exploitable without authentication.�Finally, the highest CVSS �base score� in this Critical Patch Update is 4.8, and it affects two vulnerabilities in Oracle PeopleSoft Enterprise.The CVSS (Common Vulnerability Scoring System) score can provide users with an idea of the relative importance of the criticality of a given vulnerability in their environment.For more information on Oracle�s application of CVSS, see MetaLink note 394487.1 (subscription to MetaLink required). As usual, we encourage our customers to apply Critical Patch Updates in a timely fashion in order to continue to maintain a proper security posture.

In a previous blog entry (April 2007 Critical Patch Update Released), I discussed Oracle�s three main guiding principles for the Critical Patch Update.These principles are (1) maximum security, (2) predictability and (3) simplicity to provide a manageable cost of security ownership to our customers.As a result of Oracle�s ongoing commitment to these principles, the company has introduced many enhancements to the Critical Patch Update process.With this Critical Patch Update, Oracle introduces yet another such enhancement: the napply CPU (pronounced �N Apply�).

The napply CPU isan enhanced CPU format for Oracle Database Server for Unix and Linux platforms version 10.2.0.3 and onward (including 10.2.0.4 and 11g).In a napply CPU, the security fixes are now grouped in what are called molecules.Each molecule in the CPU is independent, and does not conflict with other molecules in the CPU.Conflicts between molecules occur when fixes included respectively in each molecule affect the same file or group of files.

The napply CPU is for the benefit of customers who encounter merge conflicts when installing CPU patches.While the majority of customers never encounter such conflicts, we expect the following benefits from the introduction of the napply CPU:

The new CPU format will greatly simplify the patch conflict resolution procedures, thus providing for a quicker resolution of security vulnerabilities than was previously the case.At the time of the CPU application, customers faced with patch conflicts with the napply CPU will have the option to install the non-conflicting fixes (embedded in the non-conflicting molecules) and skip the fixes affected by conflicts.This option is known as partial napply.The benefit of this approach is that the affected environment gets immediate protection for those vulnerabilities that can be resolved with the non-conflicting fixes.Note that Oracle will provide a mapping of security vulnerabilities for each CPU molecule, so that customers will be able to assess the criticality of the vulnerabilities left unresolved by the partial napply.Oracle will also allow customers to open Service Requests to initiate the creation of napply Merge Patches that are specific to their environment immediately after the installation of a partial napply CPU, thus allowing for security patch conflicts to be resolved more quickly and efficiently.

By using the OPatch parameter �-skip_duplicate�, customers will have the ability to skip the application of those molecules that have been previously installed (for example by a previous CPU) thus reducing the changes introduced to the patched system.In other words, while the CPU remains cumulative, the CPU will install incrementally those new groups of fixes.Note however, that in order for this enhancement to be effective, the classic CPUs that were previously installed will have to be rolled back and replaced by the new format; this is a one time event achieved by installing the July 2007 CPU.